IARPA Cyber-Attack Automated Unconventional Sensor Environment (CAUSE)

CYBER-ATTACK AUTOMATED UNCONVENTIONAL
SENSOR ENVIRONMENT (CAUSE)

PROPOSERS DAY
January 21, 2015
Office for Anticipating Surprise

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)
CAUSE Program Proposers Day Agenda

Time
Topic
9:00am 9:15am
Welcome Remarks
9:15am 9:45am
IARPA Overview and Remarks
9:45am 10:30am
CAUSE Program Overview
10:30am 10:45am
Break
10:45am 11:15am
Contracting Overview
11:15am 11:45am
CAUSE Program Questions & Answers
11:45am 1:00pm
No Host Lunch
1:00pm 2:30pm
5-minute Capability Presentations
2:30pm 4:00pm
Networking and Teaming Discussions
Speaker
Mr. Robert Rahmer
Program Manager, IARPA
Dr. Peter Highnam
Director, IARPA
Mr. Robert Rahmer
Break
Mr. Tarek Abboushi
IARPA Acquisitions
Mr. Robert Rahmer
Lunch
Attendees
(No Government)
Attendees
(No Government)
Proposers Day Goals

Familiarize participants with IARPA's interest in research to
develop methods for detecting and forecasting cyber-attacks.
Ask questions and provide feedback; this is your chance to
alter the course of events.
Foster discussion of synergistic capabilities among potential
program participants, i.e., foster teaming. Take a chance:
someone might have a missing piece of your puzzle
Disclaimer
This presentation is provided solely for information and
planning purposes.
The Proposers Day Conference does not constitute a formal
solicitation for proposals or proposal abstracts.
Nothing said at Proposers Day changes requirements set
forth in a Broad Agency Announcement (BAA).
Schedule
Full Proposals are due ~45 days after BAA is published.
Once BAA is released, questions can only be submitted and
answered in writing via the BAA guidance.
IARPA Overview
Dr. Peter Highnam
Office of the Director of National Intelligence

Central Intelligence Agency
Department of State
Defense Intelligence Agency
National Security Agency
Department of Energy
National Geospatial-Intelligence
Agency
Department of the Treasury
National Reconnaissance Office
Drug Enforcement Administration
Army
Federal Bureau of Investigation
Navy
Department of Homeland Security
Coast Guard
Air Force
Marine Corps
IARPA Mission and Method

IARPAs mission is to invest in high-risk/high-payoff research
that has the potential to provide the U.S. with an overwhelming
intelligence advantage over our future adversaries
Bring the best minds to bear on our problems

Full and open competition to the greatest possible extent
World-class, rotational, Program Managers
Define and execute research programs that:

Have goals that are clear, measureable, ambitious and credible
Employ independent and rigorous Test & Evaluation
Involve IC partners from inception to finish
Run from three to five years
Office of Incisive Analysis

Maximizing Insight from the Information We Collect, in a
Timely Fashion
Large Data Volumes

and Varieties
Social-Cultural and
Linguistic Factors
Providing powerful
new sources of
information from
massive, noisy data
that currently
overwhelm analysts.
Analyzing language and

speech to produce
insights into groups and
organizations.
Improving Analytic
Processes
Dramatic enhancements
to the analytic process
at the individual and
group level.
Office of Smart Collection

Dramatically Improve the Value of Collected Data
Novel Access
Provide technologies for

reaching hard targets in
denied areas
Asset Validation and

Identity Intelligence
Detect the trustworthiness
of others
Advance biometrics in
real-world conditions
Tracking and Locating
Accurately locate HF
emitters and low-power,
moving emitters with a
factor of ten improvement
in geolocation accuracy
10
Office of Safe and Secure Operations

Counter Emerging Adversary Potential to Deny our Ability to Operate
Effectively in a Globally-Interdependent and Networked Environment
Computational
Power
Trustworthy
Components
Revolutionary
advances in science
and engineering to
solve problems
intractable with todays
computers
Getting the benefits of

leading-edge hardware
and software without
compromising security
Safe and Secure

Systems
Safeguarding mission
integrity in a hostile
world
11
Office for Anticipating Surprise

Detecting and Forecasting Significant Events
S&T
Intelligence
Indications &
Warnings
Detecting and
forecasting the
emergence of new
technical capabilities.
Early warning of social

and economic crises,
disease outbreaks,
insider threats, and
cyber attacks.
Strategic
Forecasting
Probabilistic forecasts of
major geopolitical trends
and rare events.
12
How to engage with IARPA

Website: www.IARPA.gov
Reach out to us, especially the IARPA PMs. Contact information on the website.
Schedule a visit if you are in the DC area or invite us to visit you.
Opportunities to Engage:
Research Programs
Multi-year research funding opportunities on specific topics
Proposers Days are a great opportunity to learn what is coming, and to influence the program
Seedlings
Allow you to contact us with your research ideas at any time
Funding is typically 9-12 months; IARPA funds to see whether a research program is warranted
IARPA periodically updates the topics of interest
Requests for Information (RFIs) and Workshops

Often lead to new research programs, opportunities for you to provide input while IARPA is
planning new programs
13
Concluding Thoughts
Our problems are complex and truly multidisciplinary
Technical excellence & technical truth
Scientific Method
Peer/independent review
Full and open competition
We are always looking for outstanding PMs

How to find out more about IARPA:
www.IARPA.gov
Contact Information
Phone: 301-851-7500
14
CYBER-ATTACK AUTOMATED
UNCONVENTIONAL SENSOR ENVIRONMENT
(CAUSE) Program Overview
Mr. Robert Rahmer, Program Manager

IARPA Office for Anticipating Surprise
CAUSE Overview
CAUSE is a multi-year research and development program.
It seeks to develop new automated methods for forecasting
and detecting cyber-attacks, hours to weeks earlier than
existing methods.
The CAUSE Program aims to develop and validate
unconventional multi-disciplined sensor technology that will
forecast cyber-attacks and complement existing advanced
intrusion detection capabilities.
16
Background
Cyber attacks evolve in a phased approach, which includes
activities and observations before a significant event occurs:
target reconnaissance, planning, and delivery.
Detection of new cyber events and phenomena typically
occurs in later phases of an attack
Analysis occurs post-mortem to discover indicators from
earlier phases.
17
Background
Cyber Threat Intelligence capabilities often report threat actor
activities, behaviors, and planning through observables from
publicly available data, such as social media, news, chat,
blogs, message boards, and many others, providing the
means to infer motivations and intentions.
18
Background
Published research states some of these publicly available
data sources are useful in the early detection of other events
such as disease outbreaks and macroeconomic trends.
News feeds, Twitter, blogs, and web search queries
2014 Verizon Data Breach Investigations Report

Victims of data breaches are notified by external parties >75%
of the time.
19
Current Research
Cyber attack prediction research has evolved, utilizing a
combination of techniques:
Detailed knowledge of internal network infrastructures
Analysis of known vulnerabilities
Intrusion detection sensors for monitoring of an event in
progress to predict future phases of an attack.
Analysis of cyber actor behaviors and cultural dimensions has

shown correlations between groups and cyber activities.
20
Current Research
IARPAs Open Source Indicators (OSI) program developed
methods for detecting / anticipating unexpected societal
events (e.g., political crises, disease outbreaks) by fusing data
of multiple types from multiple sources and utilizing ensemble
machine learning methods.
Few have researched methods for a probabilistic warning
system for cyber defense that focuses on utilizing sensors
external to an enterprise.
21
Key Technical Challenges

Identify and evaluate unconventional and technical indicators
in the earlier phases of cyber attacks that are leading indicators
of later stages of the attack.
Looking for well-executed, non-traditional, creative ideas (e.g.,
black market sales analysis, cyber actor behavior models)
Create highly efficient algorithms that will process massive data

streams from diverse data sets to extract signals from noisy data.
Create techniques to fuse traditional technical indicator sensor
data and alternate unconventional indicator data sources to
develop automated probabilistic warnings.
Identify and evaluate techniques that enable sharing of disparate
threat contextual information and indicators among multiple
organizations and security professionals to forecast an attack.
22
Evaluation
Teams will deliver real-world cyber-attack warnings.
The goal is to Beat the Security Incident Reports.
Teams choose sensors, data, and methods.
Teams are rewarded for early and accurate warnings of as many
reportable events as possible.
Warning delivered to IARPA =
{Time stamp, Probability of attack, Cyber-attack details}
Event details =
(Event-Class, [Attacker], [Target], Event Time)
Performers will send additional context about events which will be
valuable to end users.
Competitive forecasting tournament the delivery of successive,
better warnings is expected; each warning will be scored separately.
23
Industry Scope
CAUSE is a research program, not an operational activity.
In earlier phases, CAUSE will focus research on a particular U.S.
business sector(s) that will be identified in the BAA. IARPA is
choosing a business sector(s) with the following characteristics:
Organizations that have a variety of business areas

Sufficiently representative
Variety of attack types
Variety of existing external bad actors
Variety of publicly available data

Good ground truth data for training and testing
Suggestions for data sharing partnerships with business
sector(s) are welcome, please submit an index card.
24
Events and Scoring

At kickoff, the Government team expects to provide a large
list of significant cyber security events that occurred over the
last 6 -18 months, for which an early warning would have
been valuable.
After kickoff, Government team expects to provide monthly
ground truth cyber security events for the last month, for
which a warning would have been expected.
Starting in Month 6, teams will deliver warnings to IARPA.
Starting in Month 12, warnings delivered to IARPA are
scored against Program milestones.
25
Events and Scoring

Scoring
Lead time:
Time warning delivered to IARPA compared to

Time of earliest report of a security incident.
Not necessarily time of event
Probability score:
Accuracy of probability assigned to security

event.
Utility Time:
Time warning delivered to IARPA compared to
the actual time of the security event.
Quality of Warning: Match between event forecasted/detected and
true event.
Recall and False Discovery Rate (FDR)
Other assessments, qualitative and quantitative, will be performed by the

Government team to evaluate each teams approach. Approaches will also be
evaluated on the context within the warnings, as judged by potential users.
26
Metrics
Lead Time (Drives earlier event detection)
Time between warning and security incident report.
Teams will be asked to identify successive warnings for the same
event. The Government team will use this information for assessment
of teams approach for early detection.
Probability Score
Quadratic score = 1 (o-p)2
p is the probability assigned to the warning, o is ground truth:
1 if the event occurred, 0 if the event didnt occur within 7 days.
Utility (Drives forecasting)

Time between warning and the actual event occurred as recorded in
the security incident report. 3 day minimum is the goal. The
Government team will use this information for assessment of teams
approach to forecasting.
27
Metrics Quality of Warning

For each warning we calculate the quality q = 1+2+3+4
1 ~ Attack Classification;
2 ~ Attacker;
3 ~ Target;
4 ~ Event Time
This provides partial credit for partial warnings.
Quality will use a typology of threat actors and targets to calculate the
difference between ground truth for an attack; e.g., target:
Typology, 3 = (Industry, Organization, Logical Address, Vulnerability)
Compare warning target with true target to get the vector
(x1, x2, x3, x4), xi = 0 if false, xi = 1 if true
Location quality = x1 + x1x2 + x1x2x3 + x1x2x3x4
For the time of the event, use 1- min(|predicted time actual time|,7)/7
28
Metrics & Scoring - Example

Warning
Warning
Time
Stamp
Probability
Source of
Attack Type
of Event
Attack
CW1:
8/1/2015
.25
CW2:
8/3/2015
.40
CW3:
8/6/2015
.75
Ground
8/10/2015
Truth:
Remote
Exploit
Remote
Exploit
Remote
Exploit
Remote
Exploit
Victim
Time of
Attack
Unknown
Business A 8/4/2015
IP w.x.y.z
IP a.b.c.d
IP w.x.y.z
IP w.x.y.z
IP a.b.c.d,
Vuln x-1
IP a.b.c.d,
Vuln x-1
8/4/2015
8/4/2015
8/4/2015
29
Metrics & Scoring - Example

Quality Scores: (Victim)
Industry
Organization
Logical
Address
CW1:
Industry X
Business A
.5
CW2:
Industry X
Business A
IP a.b.c.d
.75
CW3:
Ground
Truth:
Industry X
Business A
IP a.b.c.d
Vuln x-1
Industry X
Business A
IP a.b.c.d
Vuln x-1
Warning
Overall
Scores
Warning
CW1:
CW2:
CW3:
Vulnerability Score
Lead
Time
Probability
Score
Utility
Time
Quality
Score
9 Days
7 Days
4 Days
.44
.64
.94
3 Days
1 Day
0 Days
2.5
3.08
3.67
30
Metrics
Recall:
Number of cyber events identified by Government team for which performer
team sent a warning to IARPA with non-zero lead time and quality
Total number of relevant cyber events identified by Government team
False Discovery Rate:

Number of false warnings identified by Government team for which performer
team sent a warning to IARPA
Total number of cyber event warnings sent to IARPA by performer team
31
Cyber-attack Events
Examples of events to forecast:
Cyber Event
Type
Unauthorized
Access
Description
An individual gains logical access without permission to a network,
system, application, data, or other resource.
Denial of
Service (DoS)
An attack that successfully prevents or impairs the normal

authorized functionality of networks, systems or applications by
exhausting resources.
Malicious Code Successful installation of malicious software that infects an
operating system or application.
Scans/Probes/ Activity that seeks to access or identify a computer, open ports,
Attempted
protocols, service, or any combination for later exploit. This activity
Access
does not directly result in a compromise or denial of service.
If you have any suggestions, please submit an

index card!
32
Warning Generation
It is expected that the technology developed under this effort
will have no human in the loop.
Experts can help develop and train the system, but they
will not manually generate warnings, guide the system, or
filter warnings before they are sent to IARPA.
Teams systems must include an audit trail for each warning,
listing relevant evidence and weights.
Warnings that are related should be explicitly identified for
additional evaluation by the Government team.
Successive warnings for the same event,
Warning for mutually exclusive events.
33
Program Structure
34
Program Structure
Phase 1 (18 months): External Data Sources
Identify predictive threat signals from technical and unconventional
Goal 1
sources
Goal 2 Perform data classification and training for model development
Goal 3 Generate Warnings
Phase 2 (12 months): Data Fusion w/Internal Data Sources
Goal 1 Create a data fusion model for integrating external and internal data
Goal 2 Research highly effective algorithms for processing massive data
Phase 3 (12 months): Solution Flexibility Enhancement
Goal 1 Evaluate solutions flexibility to integrate within a new organization
Goal 2 Evaluate capability for forecasting cyber attacks across multiple
organizations
35
Milestones
Metric
Phase 1
Phase 2
Phase 3
Mean Lead Time
2 days
3 days
5 days
Mean Probability Score
2.4
3.2
Mean Utility Time
1 day
2 days
3 days
Mean Quality Score
3.5
Recall
0.5
0.7
0.8
False Discovery Rate

(FDR)
< 0.5
< 0.2
< 0.1
36
What CAUSE is not

Not a program focused on:
Identification of specific individuals
Collection mechanisms that require directed participation by
individuals
Not narrowly focused on a single data source or type

Not a program on developing intrusion detection
capabilities leveraging internal data
Not a program focused on insider threats
Not a program on data visualization
37
Data
Acquisition/collection of external data will require resources
(time and budget) by each team, and data requirements will
likely overlap across teams.
In later phases, performers will use internal data from
participating U.S. business sector organization(s).
Performers may want to access their own or another
organizations internal technical data sources earlier in the
program to aid R&D of novel sensors to support future program
goals.
BAA will ask bidders to identify internal data sources required
to extract novel signals from participating U.S. business sector
organization(s).
38
CAUSE Notional Data Flow Diagram
External Unconventional
Sensor Data
Phase 1 Phase 2
Data Collection and Processing
Industry Data Provider(s)

External Unconventional
Sensor Data
Ground
Truth
PerformerPerformer
1
2Performer n
Forecasting
ForecastingForecasting
Model Model
Model
PerformerPerformer
1
2Performer n
Forecasting
ForecastingForecasting
Model Model
Model
Phase 1
Warnings
Internal
Sensor Data
Normalization
& Encoding
Warning Ingest and Review

Phase 2 Data Provider Protected Enclave TBD
Phase 2
Warnings
T&E Scoring
39
Team Composition
Given the combination of technical challenges, we anticipate
teams will possess expertise in:
Computer science
Data science
Social and Behavioral science
Mathematics and statistics
Content extraction
Information theory
Cyber-security
Software development
40
Teaming
Because of the many challenges presented by this
program, both depth and diversity will be beneficial.
Throughput. Consider all that you will need to do, all the ideas you will
need to test.
Make sure you have enough people with the right expertise to do the job.
Sufficient resources to follow critical path while still exploring alternatives
risk mitigation
Completeness. Teams should not lack any capability necessary for

success, e.g., mitigate any dependency risks
Tightly knit teams.
Clear, strong, management, and single point of contact
No loose confederations
Each team member should be contributing significantly to the program
goals. Explain why each member is important, i.e., if you didnt have them,
what wouldnt get done?
Remember, you may be very accomplished, but can you do it all?

41
Summary
CAUSE seeks to develop new automated methods for
forecasting and detecting cyber-attacks, hours to weeks
earlier than existing methods.
The Program aims to develop and validate unconventional
multi-disciplined sensor technology that will forecast cyberattacks and complement existing advanced intrusion
detection capabilities.
We are looking for well-executed, creative ideas for
unconventional sensors.
The BAA supersedes anything presented or said at the
Proposers Day by IARPA.
42
Questions?
If you have questions, suggestions, and

comments please submit an index card now!
43
Contracting Overview
Mr. Tarek Abboushi
Doing Business with IARPA - Recurring Questions
Questions and Answers (http://www.iarpa.gov/index.php/faqs)

Eligibility Info
Intellectual Property
Pre-Publication Review
Preparing the Proposal (Broad Agency Announcement (BAA) Section 4)
Electronic Proposal Delivery (https://iarpa-ideas.gov)
Organizational Conflicts of Interest

(http://www.iarpa.gov/index.php/working-with-iarpa/iarpas-approach-to-oci)
Streamlining the Award Process

Accounting system
Key Personnel
IARPA Funds Applied Research

RECOMMENDATION: Please read the entire BAA
45
Responding to Q&As
Please read entire BAA before submitting questions
Pay attention to Section 4 (Application & Submission
Info)
Read Frequently Asked Questions on the IARPA @
http://www.iarpa.gov/index.php/faqs
Send your questions as soon as possible
CAUSE BAA: dni-iarpa-baa-15-06@iarpa.gov
Write questions as clearly as possible
Do NOT include proprietary information
46
Eligible Applicants
Collaborative efforts/teaming strongly encouraged
Content, communications, networking, and team formation are
the responsibility of Proposers
Foreign organizations and/or individuals may participate

Must comply with Non-Disclosure Agreements, Security
Regulations, Export Control Laws, etc., as appropriate, as
identified in the BAA
47
Ineligible Organizations
Other Government Agencies, Federally Funded Research and
Development Centers (FFRDCs), University Affiliated
Research Centers (UARCs), and any organizations that have a
special relationship with the Government, including access to
privileged and/or proprietary information, or access to
Government equipment or real property, are not eligible to
submit proposals under this BAA or participate as team
members under proposals submitted by eligible entities.
48
Intellectual Property (IP)

Unless otherwise requested, Government rights for data
first produced under IARPA contracts will be UNLIMITED.
At a minimum, IARPA requires Government Purpose
Rights (GPR) for data developed with mixed funding
Exceptions to GPR
State in the proposal any restrictions on deliverables relating
to existing materials (data, software, tools, etc.)
If selected for negotiations, you must provide the terms

relating to any restricted data or software, to the
Contracting Officer
49
Pre-Publication Review
Funded Applied Research efforts, IARPA encourages:
Publication for Peer Review of UNCLASSIFIED research
Prior to public release of any work submitted for publication,

the Performer will:
Provide copies to the IARPA PM and Contracting Officer
Representative (COR/COTR)
Ensure shared understanding of applied research implications
between IARPA and Performers
Obtain IARPA PM approval for release
50
Preparing the Proposal

Note restrictions in BAA Section 4 on proposal submissions
Interested Offerors must register electronically IAW instructions on:
https://iarpa-ideas.gov
Interested Offerors are strongly encouraged to register in IDEAS at least
1 week prior to proposal Due Date
Offerors must ensure the version submitted to IDEAS is the Final
Version
Classified proposals Contact IARPA Chief of Security
BAA format is established to answer most questions

Check FBO for amendments & IARPA website for Q&As
BAA Section 5 Read Evaluation Criteria carefully
e.g. The technical approach is credible, and includes a clear
assessment of primary risks and a means to address them
51
Preparing the Proposal (BAA Sect 4)

Read IARPAs Organizational Conflict of Interest (OCI) policy:
http://www.iarpa.gov/index.php/working-with-iarpa/iarpas-approach-to-oci
See also eligibility restrictions on use of Federally Funded Research and

Development Centers, University Affiliated Research Centers, and other
similar organizations that have a special relationship with the
Government
Focus on possible OCIs of your institution as well as the personnel
on your team
See Section 4: It specifies the non-Government (e.g., SETA,
FFRDC, UARC, etc.) support we will be using. If you have a
potential or perceived conflict, request waiver as soon as possible
52
Organizational Conflict of Interest (OCI)

If a prospective offeror, or any of its proposed subcontractor
teammates, believes that a potential conflict of interest exists or may
exist (whether organizational or otherwise), the offeror should promptly
raise the issue with IARPA and submit a waiver request by e-mail to the
mailbox address for this BAA at dni-iarpa-baa-15-06@iarpa.gov.
A potential conflict of interest includes but is not limited to any instance
where an offeror, or any of its proposed subcontractor teammates, is
providing either scientific, engineering and technical assistance (SETA)
or technical consultation to IARPA. In all cases, the offeror shall identify
the contract under which the SETA or consultant support is being
provided.
Without a waiver from the IARPA Director, neither an offeror, nor its
proposed subcontractor teammates, can simultaneously provide SETA
support or technical consultation to IARPA and compete or perform as
a Performer under this solicitation.
53
Streamlining the Award Process

Cost Proposal we only need what we ask for in BAA
Approved accounting system needed for Cost Reimbursable
contracts
Must be able to accumulate costs on job-order basis
DCAA (or cognizant auditor) must approve system
See http://www.dcaa.mil , Audit Process Overview - Information
for Contractors under the Guidance tab
Statements of Work (format) may need to be revised
Key Personnel
Expectations of time, note the Evaluation Criteria requiring
relevant experience and expertise
Following selection, Contracting Officer may request your review of
subcontractor proposals
54
IARPA Funding
IARPA funds Applied Research for the Intelligence
Community (IC)
IARPA cannot waive the requirements of Export
Administrative Regulation (EAR) or International Traffic in
Arms Regulation (ITAR)
Not subject to DoD funding restrictions for R&D related to
overhead rates
IARPA is not a DOD organization
55
Disclaimer
This is Applied Research for the Intelligence Community
Content of the Final BAA will be specific to this program
The Final BAA is being developed
Following issuance, look for Amendments and Q&As
There will likely be changes
The information conveyed in this brief and discussion is for
planning purposes and is subject to change prior to the
release of the Final BAA.
56
QUESTIONS ?
57
CAUSE Program Q&A
Mr. Robert Rahmer, Program Manager

IARPA Office for Anticipating Surprise
ADI TECHNOLOGIES
RepKnight Social
Networks OSINT (Open
Source Intelligence) as a
complement to SIGINT,
MILINT, HUMINT
George Barros
Social Media Engineer/
CISO
ADI Technologies, Inc.
gbarros@repknight.com
(703) 734-9626
www.aditechnologies.com
Predicting Cyber Attacks through Interaction and Actor Behavior Modeling and Event Detection in
Dark Web, Black Market and Underground Forums
Robert Filar
Battelle Cyber Innovations
filarr@battelle.org
Ernest Hampson, Ph.D.

hampsone@battelle.org
ABSTRACT
Current state-of-the-art cyber security technology relies heavily on signatures to derive threats or
anomalies. While this approach has proven valuable in the past, attacks have grown in sophistication and
these techniques have led to cyber security practitioners to focus on the effects of an attack as opposed
to determining and mitigating the cause. A shortcoming of these systems is a lack of novel sources for
data enrichment and probabilistic warnings based on unconventional data sources. One such source is
the significant amount of cyber threat activity that occurs within Dark Web, black market and
underground forums/marketplaces. However, unlike traditional social media, forum data presents
problems when performing social network analysis and event detection. Properly modeling interactions
among nefarious actors can lead to accurate depictions of threat community behavior. This technique
aids in uncovering illicit networks, identifying influential members, and generating accurate social
graphs.
In its proposed research for CAUSE, Battelle will seek to enhance its technology called DarkScout that
collects and integrates forum, marketplace and social content with flexible tools for the structured
consumption of irregular media in hostile web environments. DarkScout uses language-agnostic
algorithms to collect, organize and analyze contextual information surrounding media items to uncover
community structures, and adversary pattern-of-life, trends, motivation, intent and capabilities. Further,
SME-developed ontologies provide a foundation for performing event detection and training text
analysis classifiers to extract potential indicators of cyber attack. The identification of anomalous events
is augmented with pattern-of-life analysis to provide a temporal view of incoming threats.
In its CAUSE-supported research, Battelle will augment Interaction Modeling, Actor Behavior Models
and integrate technology to analyze and de-anonymize Bitcoin sale/purchase activity to capture
communication exchanges more accurately within threat-actor forums and enrich it with temporal event
data, yielding robust information propagation models. Propagation models provide definitive analysis of
how far and how fast information spreads, and indicates threat momentum. Entity extraction of technical
indicators will inform propagation models to provide a realistic view of whether threat actors are
seeking to exploit an attack vector, and provide early warning of cyber attacks via a robust Application
Programming Interface. Battelle will seek to work with other researchers who are developing advanced
Intrusion Detection Systems and network sensor systems that would benefit from enriched data sources
and models depicting threat-actor behavior and activity.

Lead Investigator: Dr. Ernest Hampson
Research Areas
Cyber Command and

Control Technologies
Anonymous Internet
Communications
Network Security
Firmware Reverse
Engineering
Cyber/Threat
Intelligence
Hardware Reverse
Engineering
Software/Malware
Reverse Engineering
Mobile Security
Integrated Circuit
Exploitation
Foreign Materiel
Exploitation
Silicon Hardware Firmware Operating System Application
Business Sensitive
Qualification and Capabilities
DarkScout: Automated
collection, organization and
analysis of Dark Web/
Underground content.
PEAR: Next-generation
mis-/non-attributable
internet communications
via asynchronous routing.
ECAT: Authentication of
electronic components in the
supply chain via statistical
analysis of noise signals
Cantor Dust: Statistical

binary analysis platform for
unknown data streams
BIOS-HV: Type 1 hypervisor

for pre-boot environments
with automated analysis &
manipulation capabilities
Attack of the Clones: 0day and N-day vulnerability

discovery across massive
firmware libraries
Spinning Top: Authentication

bypass and remote access to
smartphones via baseband
exploitation
ICE: Novel methods for

flash memory extraction
using Photon Emission
Microscopy.
Specific Capabilities and Teaming Needs

Battelle will develop an automated collection and analysis
platform that provides enriched data sources and
probabilistic threat warnings derived from Dark Web,
black market and underground web forums and market
places. Battelle seeks teammates who are:
developing advanced intrusion detection systems,
and/or network sensor systems
that would ingest these models, combine them with other
technical indicators to provide accurate cyber-attack early
warning and mitigation.
4
Contact Information
Tami Peli
V.P., Director of Business Development
peli@battelle.org
571-227-6314 (office)
781-856-8098 (mobile)
http://www.battelle.org/ourwork/national-security/cyberinnovations
5
Dr. Paulo Shakarian is an Assistant Professor at Arizona State University where he works in the Big
Data group. He specializes in advanced data analytics, network science, artificial intelligence, and cybersecurity. Specific application domains have included intelligence analysis, counter-insurgency, counterIED, law-enforcement, and cyber-security. His previous work has been presented at major academic
venues including KDD, AAMAS, and ESORICS as well as industry conferences such as ShmooCon. His
work has been funded by the ARO, DARPA, IARPA, and USAF A2II. Shakarians work on analyzing
geospatial data resulted in the "SCARE" software for locating weapons caches that was used by Task
Force Paladin in Afghanistan and also featured in The Economist. His work on social network data
analytics resulted in the "GANG" and "SNAKE" software packages that are currently in use by the
Chicago Police and also featured in Popular Science. Dr. Shakarian is also the author of two books,
including Elseviers Introduction to Cyber-Warfare. Previously, Dr. Shakarian was a commissioned
officer in the U.S. Army where he worked in a variety of intelligence positions that include combat tours
in Operation Iraqi Freedom. He is a recipient of the Bronze Star and Army Commendation Medal for
Valor.
Contcat information:
Paulo Shakarian, Ph.D.

Assistant Professor and
Director, Cyber-Socio Intelligent Systems (CySIS) Lab
Arizona State University
BYENG 408
699 S. Mill Ave.
Tempe, AZ 85281
(480) 727-5290 (o)
(480) 965-2751 (f)
shak@asu.edu
http://shakarian.net/paulo
Florida Center for Cybersecurity (FC2)

University of South Florida (USF)
Adaptive Immersion Technologies (AIT)
The Florida Center for Cybersecurity (FC), with ongoing funding from the Florida State
Legislature, is an initiative to lead and coordinate cybersecurity research, education and outreach
across the state and beyond. FC brings access to researchers across all 12 institutions in
Floridas State University System (SUS) as well as collaborative engagement among
government, defense and business communities.
The University of South Florida (USF) is a high-impact, global research university, classified by
the Carnegie Foundation for the Advancement of Teaching as a community engaged university
and as a the top tier of research university, a distinction attained by only 2.2 percent of all
universities. USF is home to the Program in National and Competitive Intelligence, an
Intelligence Community Center of Academic Excellence. USF and FC2 also have been
designated by the National Security Agency (NSA) and the Department of Homeland Security
(DHS) as a National Center of Academic Excellence in Information Assurance/ Cybersecurity
for academic years 2014-2019. USFs School of Information has distinctive capabilities and
subject matter expertise in (1) Cyber Intelligence collection and analysis of information
concerning the intentions, capabilities, activities of adversaries and competitors in the cyber
domain; (2) Applying intelligence analytic methods and technologies to the cyber domain; (3)
Adversary characterization, risk/threat assessment, and threat actor behavior; and (4) Integrating
collection and knowledge management technologies to improve the efficiency of cybersecurity
operations. Key personnel include Scuba Steve Gary Former Chief of Cyber Intelligence,
US Special Operations Command, who holds an active clearance and an MS in Cyber Operations
and; Dr. Randy Borum (Cleared) Psychologist and former science advisor to the DNI and
IARPA who specializes in applying intelligence analytic methods to the cyber domain, strategy
and analytic decision making.
Adaptive Immersion Technologies (AIT) develops simulation-based personnel selection,
training, and performance management systems that promote human resilience in physically,
cognitively, and psychologically taxing performance domains. They tailor systems to integrate a
trilogy of performance solutions through prediction, enhancement, and support, using a synthesis
of concepts from data science, human simulation, and adaptive assessment technology to
optimize human performance. AIT has distinctive capabilities and subject matter expertise in (1)
Novel machine learning applications to complex human performance prediction problems; (2)
Computational modeling of human performance; (3) Technology-enabled training, performance
assessment and diagnosis employing modern psychometric theory; and (4) Algorithm
development, optimization, and benchmarking for real time, simulation-based assessment.
Contact:
Scuba Steve Gary
Assistant Professor of Practice
School of Information, University of South Florida
sgary@usf.edu
Florida Center for Cybersecurity

(FC2)
University of South Florida
(USF)
Adaptive Immersion Technologies
(AIT)
Unique Qualifications & Capabilities:
FC2:
Access to researchers across 12 institutions in
Floridas State University System (SUS)
Academic and Research Outreach across Florida
Top Secret Facility Clearance
USF:
Cyber Intelligence collection and analysis of
information concerning the intentions, capabilities,
activities of adversaries and competitors in the cyber
domain
Using analytic and visual cognition (through data
visualization) to enhance human sensor capabilities
for cyber anomaly detection and forecasting
Combining information analytics and structured
intelligence analytic techniques to develop
operationally relevant threat actor profiles in the
cyber domain (e.g., categories, database)
Discerning attack/activity trends within an industry or
sector to develop probabilistic risk/threat
assessments (e.g., targets, tactics)
Integrating collection and knowledge management
technologies to improve the efficiency of
cybersecurity operations
AIT:
Novel machine learning applications to complex
human performance prediction problems
Computational modeling of human performance
Technology-enabled performance assessment and
diagnosis
Computer-adaptive assessment and training
employing modern psychometric theory
Algorithm development, optimization, and
benchmarking for real time, simulation-based
assessment
Open to collaborative research, to include:
Cyber Intelligence
Human Sensors
Machine Learning
Computational Modeling of Human Performance
Advancing cybersecurity
through outreach, research
and collaboration with
academia, industry and
government.
CAUSE-specific Capabilities & Interests:

Developing novel methodologies for measuring
behavioral signatures of individual operators
and networks of operators
Pattern recognition of complex patterns of free
cyber attack activities within distributed,
networked environments
Evolution and application of machine learning
algorithms for complex pattern recognition
within the cyber domain
Algorithm boosting for enhanced detection
accuracy with low base rate events useful for
forecasting critical cyber events
Develop database to categorize cyber threat
actor profiles based on capabilities, intentions,
targets, activities
Predictive cyber threat analysis for threat/risk
assessments
Using analytic and visual cognition (through
data visualization) to enhance human sensor
capabilities for cyber anomaly detection and
forecasting
Cyber threat actor trend analysis
Key Members Experience (Clearance Status):
Scuba Steve Gary Former Chief of Cyber
Intelligence, US Special Operations
Command. MS in Cyber Operations. (Cleared)
Dr. Randy Borum Psychologist. Intelligence
analytic methods in the cyber domain. Strategy
and decision making. (Cleared)
Dr. Phillip Mangos President and Chief
Scientist of Adaptive Immersion Technologies,
a Florida-headquartered small business.
(Pending)
Adam Sheffield Program Manager, FC2 &
HUMINT Targeting Analyst. (Cleared)
Scuba Steve Gary
Assistant Professor of Practice
School of Information, University of South Florida
sgary@usf.edu
813-974-3520
Galois and Adversarial Reasoning

Galois, Inc. is interested in applying our experience in the area of adversarial reasoning to
the IARPA CAUSE program. The Adversarial Reasoning effort at Galois comprises
three complementary threads:
1. Investigating the nature of deception and counterdeception, particularly as it
applies to the cyber domain. Cyber adversaries rely on deceptive attack
techniques, and understanding patterns of deception enables accurate predictions
and proactive counterdeceptive responses.
2. Developing strategic, cognitive and game-theoretic approaches to developing
cyber actor models, with a focus on understanding how to reason about the
beliefs, intentions, and objectives of cyber adversaries.
3. Formulating techniques that allow for robust reasoning under conditions of
extreme uncertainty and ambiguity, especially in those circumstances where
statistical data is absent, and the only evidence available is likely to be
fragmentary or conflicting.
We have both prior and ongoing unclassified work with DOD agencies to research and
prototype these capabilities. For the IARPA CAUSE opportunity, we are interested in
partnering with other performers with expertise and interest in any of the following areas:
Methods to manage and extract huge amounts of streaming and batch data
Development of models to generate probabilistic warnings of future cyber events
Multiple sensors not typically used in the cyber domain
About Galois
Galois, Inc. is a computer science R&D firm with the mission to create trustworthiness
in critical systems. Founded in 1999, and located in Portland, Oregon, Galois applies
cutting-edge computer science and mathematics to solve difficult technological problems.
Over its 15-year life, Galois has worked to bring rigorous, mathematically based
techniques to challenges in domains such as software correctness, cryptography, cyberphysical systems, mobile security, machine learning, and human computer interaction.
Galois continues to work with a wide variety of government and commercial clients,
particularly in the DOD and IC.
David Burke, PI
Galois, Inc.
Creating trustworthiness in critical systems
Founded in 1999, 50+ employees, based in
Portland OR.
Numerous DOD, IC, Government & Commercial
clients.
Extensive experience in domains such as software
correctness, mobile security, cyber physical
systems, computer security, cryptography, machine
learning, and human-computer interaction.
Adversarial Reasoning Program at Galois:

1. Nature of deception and counterdeception,
particularly as applied to the cyber domain.
2. Strategic/Game Theoretic thinking about
adversaries and cyber actor models,
incorporating beliefs, intentions, and goals.
3. Techniques that apply in conditions of extreme
uncertainty (ambiguity vs. risk).
We have both prior and ongoing efforts with DOD
agencies on these topics come talk to me for more
details.
The CAUSE Program anticipates:

1. methods to manage and extract huge amounts of
streaming and batch data.
2. the development of models to generate probabilistic
warnings for future cyber events.
3. multiple sensors not typically used in the cyber
domain.
4. application and introduction of new and existing
features from other disciplines to the cyber domain.
Were interested in talking to potential partners in any of
these areas who are both enthusiastic and ambitious about
their offerings.
Contact Information
David Burke
Research Program Lead
Galois, Inc.
davidb@galois.com
(503) 330-9512
www.galois.com
IBMs Cognitive Cyber Security Defense (CCD) is a big data and analytic solution that
employs machine learning techniques to provide an adaptive and agile defensive
posture in real-time. It is an integrated solution with proven machine learning models
from IBM Research with the ability to build new families of Cyber models to react to the
ever changing Advanced Persistent Threat (APT) environment. The Cognitive Cyber
Security Defense solution is designed to scale from an entry-basic configuration up to a
full-capability system depending on your cyber defense needs. It provides a machine
learning workbench for the development of your own predictive cyber models. These
models can perform behavior analytics as well as target specific DNS related attack
types as well as behavior modeling of netflow data. Key attributes of the system are:
1. The CCD solution is an APT detector comprised of a family of pretrained
machine learning models outputted to rich visualization
2. Solution runs on x-86 infrastructure running RHEL 6.1 or higher
3. It can connect to existing Cyber SIEM, Big Data or Cloud Solutions
4. The Models dynamically update with changing threat vectors
5. We have field tested this solution with numerous customers from Utilities to
telcos to a large commercial entities
IBM Cognitive
Cyber Defense
IARPA CAUSE
IBM S MACHI NE L E A R NING CYBER SECUR ITY
SO L U TI ON
21 January 2015
Greg Porpora
IBM Federal Chief Engineer Cognitive Computing & Analytics
IBMs Cognitive Cyber Defense

Advanced Persistent Threat (APT) Network Detector
Machine Learning Based APT Detector comprised of a family of
Supervised and Unsupervised models
Analyzes Net Flow and/or DNS data in real-time
Can scale to 32TB per day
Advanced reporting capabilities
Botnet topology reconstruction via I2
Cyber Command Center View

Deep Forensic drill down
Cots Based Technology : SPSS, Infosphere Streams, Cognos BI
Open APIs with support to Hadoop clouds, Qradar, SIEMs,

other data repositories
2014 IBM Corporation 2014 IBM Corporation
Netflow & DNS -based Advanced Persistent

Threat Anomaly Detection
Detect anomalous behavior as it appears
Real-time detection in seconds of unknown attacks
Can easily scale to 32TB per day ingest
Models dynamically adapt to changing signatures

Visualization
Ingest Live
Netflow &
DNS
Data
Extract
Netflow &
DNS
Features
Anomaly
Detection
via Trained
Models
Dynamically
Retrain Models
3
2014 IBM Corporation
Cognitive Cyber Defense basic real-time Cyber analysis

workflow inside Infosphere Streams
Blacklist
&
Whitelist
Monitor
both in and
out
PCAP-DNS
Net Flow
Base Models
WHOIS or Maxmind
Beaconing-Exfiltration tests
Compare detected Fast Flux DNS and associated IP
addresses performing Intrusion to outbound DNS-IP traffic
for matches
Match real-time behavior-signature to historically derived
and dynamically updated
Network Behavior
Modeling
Fast Fluxing
DNS Amplification
Attacks
DNS Poisoning
DNS Tunneling
Net Flow Behavior
Modeling
CCD Visualizing Threats
(Cognos)
APT Detection
Forensic Analysis
(i2)
Botnet Topology and
Attack Reconstruction
Adaptive Profiling
2014
IBM Corporation
Who we are:
Small, veteran-owned
business started in 2001
42 technical staff 17 PhD,
19 MS degrees
Premium services in
decision & risk analysis,
operations research, and
systems engineering
GSA MOBIS and SeaPort
schedules
TS facility clearance
IDI is looking to partner with

a cyber security firm to
research and develop
decision analytics in
support of Cyberspace
Operations.
What we do:
Decision Support Tools
and Analytics Research
- Cyber Risk Tool
- Cyber Risk Metrics
Extract from raw data
descriptive and predictive
analytics
Multidisciplinary projects
that typically merge social
and behavioral science with
technical approaches
Build probabilistic models
for environments under
conditions of uncertainty
(e.g., Multivariate Analysis,
Bayesian Networks)
Dennis Buede, President
dbuede@innovativedecisions.com
Judith Jacobson, BD
jjacobson@innovativedecisions.com
Richard Brown, Principal Analyst
rbrown@innovativedecisions.com
www.innovativedecisions.com
703-861-3678
Innovative Analytics, Better Decisions
UNCLASSIFIED
SAILBOAT
SAILBOAT Overview
Active Inference to Behavior Model
Semi-Active Inference-Level
Behavior-Observing Automated Telemetry
Passive
Sensors
Operational
Tools
Semi-active Sensors
Designed To
Inference Goals
Secondary
(Inferred)
Data
Roles
Organizational
Geolocation
Passive
Primary
Data
Motives
Methods
Legacy
Inference
Opportunities
Knowledge propagation
Active Inference Direct to Behavior
Protocols
Transactions
Packets
Inter-session features
Sessions
Atypical Semi-Active Sensor Techniques

Knowledge/Belief Injection &
Propagation Sensors
Watering- Hole
Techniques
Example: Certificate compromise rumor injection, Computer service behavior deviations based on
followed by semi-active detection of certificate
triggering events or identifying client behavior /
rejection by candidate actors.
attributes.
Canary Content Placement &

Exfiltration Sensors
Spear-Flushing
Inference
Goals
Actors
Legacy
Inference
Opportunistic, passive cyber data generally drives

inferencing into models for Actors, Roles, Locations,
Organizations and thence to predictive behavior models
such as Motives, Methods, and Opportunities, but may
result in sparse, low confidence data. Adding active
sensor components specifically to produce behavioral
evidence, we infer more directly to the predictive models,
and prioritize efforts where resulting inferences are most
valuable.
I.E. Reverse spear-fishing: induction of secondary

behavior based on targeted content.
I.E. decoy content with active or semi-active

monitoring of sharing and leak sites.
Potential Advantages
Example Narrative
Actor A is high-knowledge and motivated, and has similar
attributes with actor B, who is known to have opportunity to
access a sensitive asset, but there is no correlating primary
evidence that A and B are connected. Through canary or
watering hole techniques, an Actor A session is presented
with evidence of a compromise of a particular root
certificate. The semi-active sensor then uses watering-hole
techniques to test when and if Actor B has reconfigured to
reject certificates signed by the rumored compromised root
certificate. Timing and other data (searches, chatter) may
clearly indicate actor models A and B may be merged, or
indicate direct-knowledge transfer that indicates close
knowledge transfer graph adjacency. A merger of A and B
further completes the Motive, Method, and Opportunity
characteristics of the Actor model, and indicates
probable attack on the accessible asset.
Increased Yield of Critical Inferences

Design target of what knowledge is needed rather than
what is easily collected
Operational yields with automated effort
Opportunistic sensors combine with automated
operational capabilities.
Reusable components and techniques
Watering hole infrastructure can be tasked with multiple
sensors and goals
Knowledge propagation sensor pattern can be realized
in several technologies.
Risk Mitigation
Risks include the leaking of data state of the model.
Mitigations:
Probabilistic sensor behavior dithering.
Hard limits on state-driven sensor action exposures.
UNCLASSIFIED
EMERGING DOMAINS
INTELLIGENT SYSTEMS FOR FORECASTING AND DETECTING CYBER ATTACKS
Figure 1: Matrix of SoarTechs core capabilities, related applications and relevant examples.
The
Challenge:
Potential
Approach:
Current approaches to detecting cyber attacks are reactive and shallow. They are
reactive because they focus on what adversaries have done in the past, rather than
anticipating what they may do in the future. They are shallow because they focus on
cyber observables without reasoning about adversaries goals and objectives.
Applying SoarTechs core capabilities (shown in Figure 1) we have experience to
combine innovative analytics on observables with sophisticated behavioral models of
cyber actors that can support both cognitive reasoning (extending the model through
experience and explaining reasoning to humans) and Monte Carlo exploration (for
probabilistic forecasting over multiple possible futures).
ENHANCING CYBERSPACE DEFENSE THROUGH BIDIRECTIONAL BEHAVIORAL MODELS

SoarTech POCs:
Dylan Schmorrow, Ph.D.
Chief Scientist
703.424.3138
Denise Nicholson, Ph.D., CMSP

Director of X
407.616.7651
H. Van Dyke Parunak, Ph.D.

Senior Scientist
734.395.3253
dylan.schmorrow@soartech.com
denise.nicholson@soartech.com
van.parunak@soartech.com
We are interested in discussing partnerships and collaborations.
Below are the logos of a few of our Sponsors and Partners for related research.
INTELLIGENT SYSTEMS FOR FORECASTING

AND DETECTING CYBER ATTACKS
OUR EXPERTISE
AND PROVEN
CAPABILITIES
AUTONOMY
ADAPTATION
HUMAN/SYSTEM
INTERFACE
DECISION SUPPORT
BEHAVIOR MODELING
CYBER SIMULATION
Multi-Future Probabilistic
Forecasting
Multiple agents search
alternative paths through
complex behavior models in
parallel
Any-time forecast adjusts in
real time to incoming data;
runs 104x faster than real
time
Yields probability distribution
over alternative futures to
support ACH and mitigate
cognitive anchoring
Cognitive Red-Team
Agents
Enables scalable,
repeatable wargaming
and testing of security and
network infrastructure
Cyber Sandbox for

Attack & Defense Training
Agent-based cyber ecology
provides autonomous
adversaries and legitimate
users
Dynamic Tailoring adapts
adversaries and
environment to maximize
learning
Relevant Research
to be Leveraged:
Learned behavior model

exposes novel attack
vectors
Agents acting as virtual
assistants allow human
experts to focus on high
level goals
Constructive sims are readily

available for continuous
training and evaluation
Research Area of Interest:

Current approaches to detecting cyber attacks are reactive and shallow:
reactive because they focus on what adversaries have done in the
past, rather than anticipating what they may do in the future.
shallow because they focus on cyber observables without reasoning
about adversaries goals and objectives.
SoarTech combines innovative analytics on observables with
sophisticated behavioral models of cyber actors that can support both:
cognitive reasoning (extending the model through experience and
explaining reasoning to humans) and
Monte Carlo exploration (for probabilistic forecasting over multiple
possible futures).
ENHANCING CYBERSPACE DEFENSE THROUGH

BIDIRECTIONAL BEHAVIORAL MODELS
POCS
Dylan Schmorrow, Ph.D.
Chief Scientist
703.424.3138
dylan.schmorrow@soartech.com
Denise Nicholson, Ph.D., CMSP

Director of X
407.616.7651
denise.nicholson@soartech.com
H. Van Dyke Parunak, Ph.D.

Senior Scientist
734.395.3253
van.parunak@soartech.com
Cyber-attack Automated Unconventional Sensor Environment (CAUSE)

SRA International, Inc.
Joseph Pemberton
joe_pemberton@sra.com
703-803-1882
Abstract
The growth of cyber incidents, from identify theft to full-scale attacks on corporate and
Government cyber assets, highlights the importance of cyber defense to the economic and
political security of the country. Existing cyber defense methods typically focus on forensic
assessments to answer the question, what happened? rather than attempting to predict cyberattacks before they occur. SRA is actively researching ways to improve cyber defense
capabilities for our customers. We have extensive experience providing cyber security services
to a wide variety of Government agencies. Our subject matter experts understand the current
cyber defense landscape, and we have experience and relationships with a wide range of cyber
security solution vendors.
SRA has developed and markets NetOwl, a suite of text and entity analytics products. We
have recently expanded NetOwls ontology to cover counterterrorism, intelligence, military,
homeland security, law enforcement, business, compliance, and cyber security related areas. Our
cyber security ontology integrates cyber-event concepts from the U.S. Department of Defense,
US-CERT, and other cyber security organizations, and terminology for critical infrastructure
such as energy, financial, and telecommunications facilities and organizations prime targets of
cyber-attacks that could affect U.S. security. Our expanded cyber security ontology is designed
to allow organizations to process large volumes of unstructured content and automatically
identify key cyber-related events as well as entities involved in these cyber events
Our team includes Context Relevant which provides an optimized machine learning pipeline for
analyzing complex data sets. Context Relevant software helps data scientists process
unstructured (e.g., dirty/messy) data, including Open Source data, process millions of input
dimensions, and automatically general and explore hundreds of thousands of models in parallel.
Their tools have been used to general efficient prediction of future events. With our teammates,
we are currently investigating the combination of NetOwl, deep machine learning methods, and
big data processing to the problem of analysis and prediction of cyber-attacks. In particular, we
are investigating ways to combine both structured and unstructured (messy) data from traditional
and nontraditional sources to enable early stage detection of cyber-attacks.
SRA is eager to join the IARPA CAUSE Program, and we are looking for additional teammates
to help round out our team.
SRA International
Joseph Pemberton
Current Teammates:
Context Relevant
Bromium
SRA is interested in new techniques for

analyzing adversary behavior and to help
identify and predict cyber attacks
Our planned approach integrates machine
learning, big data, hypervisors, microvisors,
and entity extraction techniques to detect
indicators of malicious cyber activity
SRA provides cyber security solutions to a

wide range of Government customers
We know the limitations of existing cyber tools
We understand Government cyber defense needs
Our team includes:

SRA entity analysis experts and tools to efficiently
extract content from unstructured data
Big data and machine learning experts who model
large, high-dimensional problem spaces efficiently
We are looking for academic and small

business partners to augment our team
capabilities:
Unstructured Data Analysis
Machine Learning
Big Data Analysis
Practical Cyber Security Experience
Data modeling
Contact Information
Joseph Pemberton
Technical Director
SRA International
joe_pemberton@sra.com
703-803-1882
www.sra.com
ViON Data Adapt Analytics A2000

ViON Big Data Analytic Platform | S O L U T I O N |B SROI ELFU T I O N B R I E F
Threat Detection & Prevention
About ViON
Identity Analytics for National Security

Our modern world is a place where national security, critical
infrastructure and national resources may be at risk due to the actions of
ViON is a veteran-owned, privately held

company with over 34 years of experience
building IT enterprise solutions for
government and commercial customers.
Being independent allows for streamlined
decision making and nimble responses to
our customers needs.
ViON works with the largest and most
innovative OEM suppliers in the industry
to design and implement solutions that
meet any IT storage or server need.
Partners include IBM, Brocade, Cisco,
EMC, Hitachi Data Systems, NetApp, and
many more.
small groups of people with anti-social agendas. Those with malicious

intent are typically highly motivated to operate covertly, going to great
lengths to obscure their identities, relationships and organizational
affiliations.
A key weapon in the fight against crime, civil unrest and terrorism is
timely and actionable information. Better recognition of identities,
relationships and affiliations can provide the hidden intelligence needed
to anticipate and prevent catastrophe. To harness data from all available
sources and extract actionable intelligence demands unique softwaredriven capability. ViONs Data Adapt Analytics A2000 appliance for
Threat Prediction and Prevention, based upon the Cisco UCS platform,
is powered by IBM software specifically designed to recognize attempts
Known for our engineering expertise and

exacting standards, our team ensures that
only those with the highest level of
training, experience, and industry
certifications design, install, maintain, and
support our breadth of solutions.
to obscure identities and relationships.
The Data Adapt Analytics Solution

The ViON Data Adapt Analytics A2000 appliance utilizes proven entity
resolution and analysis capabilities that have been used for years within
government organizations that protect national security. These mission
requirements range from borders and port entry to complex counterinsurgency and inside threat detection.
The A2000 was architected to ingest all available data sources. The
analytical engine detects intersections in the data that reveal clues about
identities and relationships, continuously learning with each new set of
data. In this way the data itself reveals the clues that it hides, providing
the critical Non Obvious Relationship Awareness. This approach also
reveals multiple degrees of separation between people, essential for
mapping out social networks. Behavioral and pattern-based analytics
create the ability to observe coordinated movements that would
otherwise avoid detection. These analytics are configurable based on
thresholds and risk scores that determine who is alerted, when and how.
By integrating all these capabilities into a scalable x86 hardware
platform, ViON has created a new generation of solution that delivers the
value of a complex custom enterprise software system but with the same
speed, ease and economy of an appliance.
ViON Data Adapt Analytics A2000 Threat Detection & Prevention
| S O L U T I O N B R I E F
Mission Optimized Threat Prediction &Prevention Capabilities

The systems sophisticated disambiguation technologies were specifically created to penetrate the cultural ambiguities,
fabrications & identity misrepresentation tactics nefarious groups and individuals use to hide. It uncovers and links
obvious and non-obvious relationships which may reveal criminal syndicates, gangs, revolutionary organizations or
terrorist cells. Capabilities include:
Full attribution: Achieve greater accuracy with an entity resolution and analytic engine that accumulates a
history as opposed to a snapshot of each individual or company in the database over time.
Relationship resolution: Identify & compare non-obvious relationships between addresses, phone numbers, email addresses, and other characteristics discovered and linked across multiple individuals
Link analysis: Analyze, visualize, and extend these relationships building complex structures, revealing the
hierarchies and methods of operation employed by criminal, terrorist and fraudulent networks
Real-time changes: Compare identity records to the database upon receipt to determine if it resolves an
existing record, is new, or requires and unresolve of an existing record.
Self-healing and self-correcting: Automatically examine and update any entity in the repository that would be
affected based on new observations.
Autonomic real-time alerting: Automatically check against existing information and generate alerts allowing for
detailed analysis of involved parties as new data is ingested.
Global name resolution: Apply linguistic rules automatically to find matches through cultural context via
patented IBM technology.
Behavioral and pattern analysis: Uncover coordinated activities and patterns that provide the capacity to
anticipate a pending threat event via deep data mining and statistical analysis.
Why Data Adapt Analytics Solutions?

More than simply bundling hardware and software, the secret to Data Adapt Analytics offerings such as Threat
Prediction & Prevention is purposeful design. Lessons learned from numerous prior projects have been incorporated into
the product so that customers can begin with configuring the system to their environment, data and mission rather than
locating and hiring the highly specialized skills needed to operationalize the different software components. Integrated
technologies and accelerators are combined in different ways unique to the characteristics of a given mission. The
application exploits the right mix of system resources (processing power, memory and storage, for example) for deeper
levels of optimization to achieve the desired scale, performance, analysis, and user experience.
To learn more of how the ViON Data Adapt Analytics solutions can help you, please visit www.vion.com.
196 Van Buren Street | Herndon, Virginia 20170

(571) 353-6000 | (800) 761-9691 | vion.com
All product names mentioned may be trademarks and/or registered of their respective companies. All rights reserved.
March 2014, Version 1.0

IARPA Cyber-Attack Automated Unconventional Sensor Environment (CAUSE)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IARPA Cyber-Attack Automated Unconventional Sensor Environment (CAUSE)

Uploaded by

Copyright:

Available Formats

CYBER-ATTACK AUTOMATED UNCONVENTIONAL

SENSOR ENVIRONMENT (CAUSE)

January 21, 2015

Office for Anticipating Surprise

CAUSE Program Proposers Day Agenda

IARPA Overview and Remarks

CAUSE Program Overview

CAUSE Program Questions & Answers

5-minute Capability Presentations

Networking and Teaming Discussions

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Proposers Day Goals

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Dr. Peter Highnam

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Office of the Director of National Intelligence

Defense Intelligence Agency

National Security Agency

Department of the Treasury

National Reconnaissance Office

Drug Enforcement Administration

Federal Bureau of Investigation

Department of Homeland Security

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

IARPA Mission and Method

Bring the best minds to bear on our problems

Define and execute research programs that:

Office of Incisive Analysis

Large Data Volumes

Analyzing language and

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Office of Smart Collection

Provide technologies for

Asset Validation and

Tracking and Locating

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Office of Safe and Secure Operations

Getting the benefits of

Safe and Secure

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Office for Anticipating Surprise

Early warning of social

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

How to engage with IARPA

Requests for Information (RFIs) and Workshops

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Full and open competition

We are always looking for outstanding PMs

Mr. Robert Rahmer, Program Manager

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

2014 Verizon Data Breach Investigations Report

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Analysis of cyber actor behaviors and cultural dimensions has

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Key Technical Challenges

Create highly efficient algorithms that will process massive data

Organizations that have a variety of business areas

Variety of publicly available data

Events and Scoring